From: Arvind Sankar <nivedita@alum.mit.edu>
To: Eric Biggers <ebiggers@kernel.org>
Cc: Arvind Sankar <nivedita@alum.mit.edu>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
David Laight <David.Laight@aculab.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 2/6] crypto: lib/sha256 - Don't clear temporary variables
Date: Thu, 22 Oct 2020 23:17:57 -0400 [thread overview]
Message-ID: <20201023031757.GB135789@rani.riverdale.lan> (raw)
In-Reply-To: <20201022045850.GE857@sol.localdomain>
On Wed, Oct 21, 2020 at 09:58:50PM -0700, Eric Biggers wrote:
> On Tue, Oct 20, 2020 at 04:39:53PM -0400, Arvind Sankar wrote:
> > The assignments to clear a through h and t1/t2 are optimized out by the
> > compiler because they are unused after the assignments.
> >
> > These variables shouldn't be very sensitive: t1/t2 can be calculated
> > from a through h, so they don't reveal any additional information.
> > Knowing a through h is equivalent to knowing one 64-byte block's SHA256
> > hash (with non-standard initial value) which, assuming SHA256 is secure,
> > doesn't reveal any information about the input.
> >
> > Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
>
> I don't entirely buy the second paragraph. It could be the case that the input
> is less than or equal to one SHA-256 block (64 bytes), in which case leaking
> 'a' through 'h' would reveal the final SHA-256 hash if the input length is
> known. And note that callers might consider either the input, the resulting
> hash, or both to be sensitive information -- it depends.
The "non-standard initial value" was just parenthetical -- my thinking
was that revealing the hash, whether the real SHA hash or an
intermediate one starting at some other initial value, shouldn't reveal
the input; not that you get any additional security from being an
intermediate block. But if the hash itself could be sensitive, yeah then
a-h are sensitive anyway.
>
> > ---
> > lib/crypto/sha256.c | 1 -
> > 1 file changed, 1 deletion(-)
> >
> > diff --git a/lib/crypto/sha256.c b/lib/crypto/sha256.c
> > index d43bc39ab05e..099cd11f83c1 100644
> > --- a/lib/crypto/sha256.c
> > +++ b/lib/crypto/sha256.c
> > @@ -202,7 +202,6 @@ static void sha256_transform(u32 *state, const u8 *input)
> > state[4] += e; state[5] += f; state[6] += g; state[7] += h;
> >
> > /* clear any sensitive info... */
> > - a = b = c = d = e = f = g = h = t1 = t2 = 0;
> > memzero_explicit(W, 64 * sizeof(u32));
> > }
>
> Your change itself is fine, though. As you mentioned, these assignments get
> optimized out, so they weren't accomplishing anything.
>
> The fact is, there just isn't any way to guarantee in C code that all sensitive
> variables get cleared.
>
> So we shouldn't (and generally don't) bother trying to clear individual u32's,
> ints, etc. like this, but rather only structs and arrays, as clearing those is
> more likely to work as intended.
>
> - Eric
Ok, I'll just drop the second paragraph from the commit message then.
next prev parent reply other threads:[~2020-10-23 3:18 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-20 20:39 [PATCH v2 0/6] crypto: lib/sha256 - cleanup/optimization Arvind Sankar
2020-10-20 20:39 ` [PATCH v2 1/6] crypto: Use memzero_explicit() for clearing state Arvind Sankar
2020-10-22 4:36 ` Eric Biggers
2020-10-23 15:39 ` Arvind Sankar
2020-10-23 15:56 ` Eric Biggers
2020-10-23 20:45 ` Herbert Xu
2020-10-23 21:53 ` Eric Biggers
2020-10-29 7:00 ` Herbert Xu
2020-10-20 20:39 ` [PATCH v2 2/6] crypto: lib/sha256 - Don't clear temporary variables Arvind Sankar
2020-10-22 4:58 ` Eric Biggers
2020-10-23 3:17 ` Arvind Sankar [this message]
2020-10-20 20:39 ` [PATCH v2 3/6] crypto: lib/sha256 - Clear W[] in sha256_update() instead of sha256_transform() Arvind Sankar
2020-10-22 4:59 ` Eric Biggers
2020-10-20 20:39 ` [PATCH v2 4/6] crypto: lib/sha256 - Unroll SHA256 loop 8 times intead of 64 Arvind Sankar
2020-10-22 5:02 ` Eric Biggers
2020-10-23 3:12 ` Arvind Sankar
2020-10-23 3:16 ` Herbert Xu
2020-10-20 20:39 ` [PATCH v2 5/6] crypto: lib/sha256 - Unroll LOAD and BLEND loops Arvind Sankar
2020-10-22 5:02 ` Eric Biggers
2020-10-20 20:39 ` [PATCH v2 6/6] crypto: lib/sha - Combine round constants and message schedule Arvind Sankar
2020-10-20 21:36 ` David Laight
2020-10-21 15:16 ` Arvind Sankar
2020-10-22 4:34 ` Eric Biggers
2020-10-22 8:20 ` David Laight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201023031757.GB135789@rani.riverdale.lan \
--to=nivedita@alum.mit.edu \
--cc=David.Laight@aculab.com \
--cc=davem@davemloft.net \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).